virtual server configuration
Alan DeKok
aland at deployingradius.com
Wed Mar 19 07:30:53 CET 2008
usawebbox at fastmail.fm wrote:
> The first comment might be giving you just another place to provide your
> CA cert, whereas the second comment clearly talks about not permiting
> EAP-TLS. I say this, because I don't see why the CA would be required at
> all if EAP-TLS will be denied.
Because PEAP uses certificates, too. The requirement for a CA cert
comes from the requirements on certificate chains. It is not a PEAP
requirement. PEAP just inherits that requirement because PEAP uses
certificates.
> All you need is a server cert and private
> key. In PEAP, the client is the one who needs the CA cert, if he wants
> to verify the server cert, but even that is optional.
The CA cert is needed by OpenSSL to validate the server cert.
> Anyway, can we say now that not providing a CA_file doesn't work?
Provide a CA cert as instructed, either in CA_file or in certificate_file.
Alan DeKok.
More information about the Freeradius-Users
mailing list